tag:www.schneier.com,2015:/blog//2/tag:www.schneier.com,2006:/blog//2.870-2015-05-13T03:58:05ZComments for Thief Disguises Himself as Security GuardA blog covering security and security technology.Movable Typetag:www.schneier.com,2006:/blog//2.870-comment:127257Comment from security on 2006-11-24securityhttp://www.securityusa.info/
This story is now Six months old - can not find anything over the Internet about any arrests having been made -ever.

Does anyone have an update?

]]>
2006-11-24T11:36:57Z2006-11-24T11:36:57Ztag:www.schneier.com,2006:/blog//2.870-comment:69460Comment from Bill McGonigle on 2006-05-31Bill McGoniglehttp://blog.bfccomputing.com
Wow, a quarter million dollars a day is a nice revenue stream for a museum.
]]>
2006-05-31T12:31:11Z2006-05-31T12:31:11Ztag:www.schneier.com,2006:/blog//2.870-comment:59412Comment from Davi Ottenheimer on 2006-05-19Davi Ottenheimerhttp://davi.poetry.org/
Life imitates art?]]>
2006-05-19T08:06:11Z2006-05-19T08:06:11Ztag:www.schneier.com,2006:/blog//2.870-comment:57946Comment from K on 2006-05-13K
he have also a true matriculation-number of another security guard (same company)]]>
2006-05-13T22:14:11Z2006-05-13T22:14:11Ztag:www.schneier.com,2006:/blog//2.870-comment:57933Comment from rfmonk on 2006-05-13rfmonkhttp://rfmonk.blogspot.com
Maybe the guy handing over the money was getting paid off. good story Bruce]]>
2006-05-13T17:06:13Z2006-05-13T17:06:13Ztag:www.schneier.com,2006:/blog//2.870-comment:57845Comment from Anonymous on 2006-05-12Anonymous
@Paul

>> Even if you tell the staff to verify the guard's ID, you've only moved the problem over a slight distance (unless the security company has unforgeable IDs, some kind of mechanical verification method, and a highly secure ID distribution infrastructure.)

Nothing is unforgeable. I can make an ID which is very difficult to forge, however, and fairly cheaply. (Even more difficult if you don't let someone get a good look at it, except when verifying a guard's identity -- and certainly never let it near a scanner.)

The mechanical verification method is to compare the picture on the ID to the person's face.

The highly secure ID distribution infrastructure is handing it to the guard after they pass all of our background checks . . . (sighs)

Yeah, the moral i think about these kind of acts is that people are beginning to see a uniform as a form of authentication. I agree that the "asume" that the person is wearing a uniform conform the guidelines and they will be treated so. It is in fact as stated above: the human factor. Relying on mere uniform should produce problems and in this case and many other it happened. In my country (NL) we had simmilar experiances where thiefs where dressed like cops, and they took the wallets of tourists and hold people and gave them tickets which they had to pay upfront. The sollution? i cannot think of one otherwise of proper (better) authentication. Anyone other ideas?

]]>
2006-05-12T20:47:06Z2006-05-12T20:47:06Ztag:www.schneier.com,2006:/blog//2.870-comment:57835Comment from Marcelus Berry on 2006-05-12Marcelus Berry
It is always the human element of Security that fails, intrusion is an aquired and developed capacity, but our most cotidian and predictable customs and duties may actually be creating an invisible open path for deception.]]>
2006-05-12T20:17:52Z2006-05-12T20:17:52Ztag:www.schneier.com,2006:/blog//2.870-comment:57824Comment from Pat Cahalan on 2006-05-12Pat Cahalan
@ Trent

He probably reads this blog. "It's all Schneier's fault, for giving these criminals the idea!"

(those are sarcasm " "s).

]]>
2006-05-12T18:24:31Z2006-05-12T18:24:31Ztag:www.schneier.com,2006:/blog//2.870-comment:57812Comment from Trent on 2006-05-12Trenthttp://dyrandsystems.blogspot.com/
I wonder what movie he watched to get the idea?]]>
2006-05-12T17:58:41Z2006-05-12T17:58:41Ztag:www.schneier.com,2006:/blog//2.870-comment:57809Comment from paul on 2006-05-12paul
Even if you tell the staff to verify the guard's ID, you've only moved the problem over a slight distance (unless the security company has unforgeable IDs, some kind of mechanical verification method, and a highly secure ID distribution infrastructure.) ]]>
2006-05-12T17:44:42Z2006-05-12T17:44:42Ztag:www.schneier.com,2006:/blog//2.870-comment:57807Comment from RC on 2006-05-12RC
What I'd like to know is how soon the exact same approach will again work on that same Museum. I think it is unlikely that they will change their security procedures in a way that necessarily precludes this type of attack. They may tell their staff to check the guard's ID and not to give the money to a new guard without verifying that ID ... but after a time the staff will become lazy, newer employees will not be given the same instructions, and the attack will work again.]]>
2006-05-12T17:36:12Z2006-05-12T17:36:12Ztag:www.schneier.com,2006:/blog//2.870-comment:57798Comment from wkwillis on 2006-05-12wkwillis
I'm a security guard. I have been transferred (not fired, I'm contract so I get transferred to a new account if the client is unhappy) for doing my job. Last time was when I stopped a guy drafting (walking in behind someone with an access card) and he got upset. The client security director told me that I was doing my job, but that they were moving me anyway because the juy was upset.
No big deal. I worked two other accounts for a while, then moved to another, then had to go take care of my sister for a while, and now I'm back at the same security company.
Generally the security guards will do the best job you allow them to do. If you transfer them for doing their job, they will shrug and stop doing it.
But if you discipline one guard for doing their job AND you discipline some other security guard for not doing their job, you have some severe liability problems.]]>
2006-05-12T16:47:56Z2006-05-12T16:47:56Ztag:www.schneier.com,2006:/blog//2.870-comment:57797Comment from Chase Venters on 2006-05-12Chase Venters
@Andrew

Fighting crime is difficult. Often, the responsibility of catching / stopping walk-outs is placed on the waiter. If they suspect something, they're supposed to tell management. (But they can't chase the people into the parking lot.)

Guess who pays when the customer walks? That's right - the waiter.

]]>
2006-05-12T16:40:55Z2006-05-12T16:40:55Ztag:www.schneier.com,2006:/blog//2.870-comment:57795Comment from Andrew on 2006-05-12Andrew
Uniforms are easy to fake. Procedures tend towards a depressing commonality. Even those businesses that use courier lists with pictures and signatures (which should be everybody!) don't always refer to them.

This is also why there are floor limits, over the counter limits, and over the street limits. To limit the losses if any one take goes awry.

The only answer is to shift some of the burden from the institution to the employee. ("If you give the money to the wrong person, it'll come out of your check . . . ")

]]>
2006-05-12T16:30:14Z2006-05-12T16:30:14Ztag:www.schneier.com,2006:/blog//2.870-comment:57789Comment from @nonymou5 on 2006-05-12@nonymou5
Oh, ya I should also state, the hotel went cheap on the guard. Instead of hiring a service which has bonded guards they hired someone directly (unbonded). Last I knew about the situation they never found the guy. I am sure he had fake info when they hired him. Shows you really don't save money when you go cheap on your security. ]]>
2006-05-12T15:18:55Z2006-05-12T15:18:55Ztag:www.schneier.com,2006:/blog//2.870-comment:57786Comment from @nonymou5 on 2006-05-12@nonymou5
While in school, I had a job at a hotel to balance the books for the day. We did not have any procedures to verify anything, other than the daily balance sheet. One night the night shift security guard for the hotel (the real one), came up to be and said the manager wanted to audit the cash drawers. It sounded strange, but since I wasn't as suspicious as I am today, I gave him the drawers. 1/2 hour later am I wondering when I will get the drawers back. The morning shift is going to need them. So I called the manager and asked when I am going to get them back. He had no idea of what I was talking about. Then we realized the guard decided to make this his last night on the shift and disappear.

That's when I realized I should always "trust, but verify". ;)

]]>
2006-05-12T15:14:29Z2006-05-12T15:14:29Ztag:www.schneier.com,2006:/blog//2.870-comment:57780Comment from gingerweed on 2006-05-12gingerweed
Headline should read "Security" rather than "Museum".]]>
2006-05-12T14:36:31Z2006-05-12T14:36:31Ztag:www.schneier.com,2006:/blog//2.870-comment:57776Comment from Jungsonn on 2006-05-12Jungsonnhttp://www.jungsonnstudios.com
Maybe he read Bruce's blog. This time the "real" thomas crown affair. :)]]>
2006-05-12T14:13:33Z2006-05-12T14:13:33Ztag:www.schneier.com,2006:/blog//2.870-comment:57768Comment from jmc on 2006-05-12jmc
One does expect the cashier people to be less cautious when being confronted with the same guy for a period of say 20 years during which all has worked out fine. But the guy being a total stranger to the museum guys should have made them a lil' bit more thoughtful.]]>
2006-05-12T13:10:10Z2006-05-12T13:10:10Ztag:www.schneier.com,2006:/blog//2.870-comment:57767Comment from Hex on 2006-05-12Hex
Reminds me of this.http://www.improveverywhere.com/mission_view.php?mission_id=57]]>
2006-05-12T13:07:07Z2006-05-12T13:07:07Ztag:www.schneier.com,2006:/blog//2.870-comment:57763Comment from meme on 2006-05-12meme
brilliant!]]>
2006-05-12T12:25:00Z2006-05-12T12:25:00Ztag:www.schneier.com,2006:/blog//2.870-comment:57760Comment from Matt on 2006-05-12Matthttp://blog.secosoft.net
Haha, perfect!

When giving someone a quarter million US, you would think that they would check the person's ID against a known-couriers list or something... wow